crypto/...: more fixes for bug 2841

1) Remove the Reset() member in crypto/aes and crypto/des (and
   document the change).
2) Turn several empty error structures into vars. Any remaining error
   structures are either non-empty, or will probably become so in the
   future.
3) Implement SetWriteDeadline for TLS sockets. At the moment, the TLS
   status cannot be reused after a Write error, which is probably fine
   for most uses.
4) Make crypto/aes and crypto/des return a cipher.Block.

R=rsc, r
CC=golang-dev
https://golang.org/cl/5625045

15 files changed, 110 insertions, 155 deletions

diff --git a/src/pkg/crypto/aes/cipher.go b/src/pkg/crypto/aes/cipher.go
index 28752e7361..7d307c93a0 100644
--- a/src/pkg/crypto/aes/cipher.go
+++ b/src/pkg/crypto/aes/cipher.go
@@ -4,13 +4,16 @@
 
 package aes
 
-import "strconv"
+import (
+	"crypto/cipher"
+	"strconv"
+)
 
 // The AES block size in bytes.
 const BlockSize = 16
 
-// A Cipher is an instance of AES encryption using a particular key.
-type Cipher struct {
+// A cipher is an instance of AES encryption using a particular key.
+type aesCipher struct {
 	enc []uint32
 	dec []uint32
 }
@@ -21,11 +24,11 @@ func (k KeySizeError) Error() string {
 	return "crypto/aes: invalid key size " + strconv.Itoa(int(k))
 }
 
-// NewCipher creates and returns a new Cipher.
+// NewCipher creates and returns a new cipher.Block.
 // The key argument should be the AES key,
 // either 16, 24, or 32 bytes to select
 // AES-128, AES-192, or AES-256.
-func NewCipher(key []byte) (*Cipher, error) {
+func NewCipher(key []byte) (cipher.Block, error) {
 	k := len(key)
 	switch k {
 	default:
@@ -35,34 +38,13 @@ func NewCipher(key []byte) (*Cipher, error) {
 	}
 
 	n := k + 28
-	c := &Cipher{make([]uint32, n), make([]uint32, n)}
+	c := &aesCipher{make([]uint32, n), make([]uint32, n)}
 	expandKey(key, c.enc, c.dec)
 	return c, nil
 }
 
-// BlockSize returns the AES block size, 16 bytes.
-// It is necessary to satisfy the Block interface in the
-// package "crypto/cipher".
-func (c *Cipher) BlockSize() int { return BlockSize }
+func (c *aesCipher) BlockSize() int { return BlockSize }
 
-// Encrypt encrypts the 16-byte buffer src using the key k
-// and stores the result in dst.
-// Note that for amounts of data larger than a block,
-// it is not safe to just call Encrypt on successive blocks;
-// instead, use an encryption mode like CBC (see crypto/cipher/cbc.go).
-func (c *Cipher) Encrypt(dst, src []byte) { encryptBlock(c.enc, dst, src) }
+func (c *aesCipher) Encrypt(dst, src []byte) { encryptBlock(c.enc, dst, src) }
 
-// Decrypt decrypts the 16-byte buffer src using the key k
-// and stores the result in dst.
-func (c *Cipher) Decrypt(dst, src []byte) { decryptBlock(c.dec, dst, src) }
-
-// Reset zeros the key data, so that it will no longer
-// appear in the process's memory.
-func (c *Cipher) Reset() {
-	for i := 0; i < len(c.enc); i++ {
-		c.enc[i] = 0
-	}
-	for i := 0; i < len(c.dec); i++ {
-		c.dec[i] = 0
-	}
-}
+func (c *aesCipher) Decrypt(dst, src []byte) { decryptBlock(c.dec, dst, src) }
diff --git a/src/pkg/crypto/cipher/cbc_aes_test.go b/src/pkg/crypto/cipher/cbc_aes_test.go
index 944ca1ba85..cee3a784b5 100644
--- a/src/pkg/crypto/cipher/cbc_aes_test.go
+++ b/src/pkg/crypto/cipher/cbc_aes_test.go
@@ -8,11 +8,12 @@
 // Special Publication 800-38A, ``Recommendation for Block Cipher
 // Modes of Operation,'' 2001 Edition, pp. 24-29.
 
-package cipher
+package cipher_test
 
 import (
 	"bytes"
 	"crypto/aes"
+	"crypto/cipher"
 	"testing"
 )
 
@@ -72,14 +73,14 @@ func TestCBC_AES(t *testing.T) {
 			continue
 		}
 
-		encrypter := NewCBCEncrypter(c, tt.iv)
+		encrypter := cipher.NewCBCEncrypter(c, tt.iv)
 		d := make([]byte, len(tt.in))
 		encrypter.CryptBlocks(d, tt.in)
 		if !bytes.Equal(tt.out, d) {
 			t.Errorf("%s: CBCEncrypter\nhave %x\nwant %x", test, d, tt.out)
 		}
 
-		decrypter := NewCBCDecrypter(c, tt.iv)
+		decrypter := cipher.NewCBCDecrypter(c, tt.iv)
 		p := make([]byte, len(d))
 		decrypter.CryptBlocks(p, d)
 		if !bytes.Equal(tt.in, p) {
diff --git a/src/pkg/crypto/cipher/cfb_test.go b/src/pkg/crypto/cipher/cfb_test.go
index 9547bfceb7..f704b337e4 100644
--- a/src/pkg/crypto/cipher/cfb_test.go
+++ b/src/pkg/crypto/cipher/cfb_test.go
@@ -2,11 +2,12 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-package cipher
+package cipher_test
 
 import (
 	"bytes"
 	"crypto/aes"
+	"crypto/cipher"
 	"crypto/rand"
 	"testing"
 )
@@ -21,11 +22,11 @@ func TestCFB(t *testing.T) {
 	plaintext := []byte("this is the plaintext")
 	iv := make([]byte, block.BlockSize())
 	rand.Reader.Read(iv)
-	cfb := NewCFBEncrypter(block, iv)
+	cfb := cipher.NewCFBEncrypter(block, iv)
 	ciphertext := make([]byte, len(plaintext))
 	cfb.XORKeyStream(ciphertext, plaintext)
 
-	cfbdec := NewCFBDecrypter(block, iv)
+	cfbdec := cipher.NewCFBDecrypter(block, iv)
 	plaintextCopy := make([]byte, len(plaintext))
 	cfbdec.XORKeyStream(plaintextCopy, ciphertext)
 
diff --git a/src/pkg/crypto/cipher/common_test.go b/src/pkg/crypto/cipher/common_test.go
index fb755757c2..c75c919d17 100644
--- a/src/pkg/crypto/cipher/common_test.go
+++ b/src/pkg/crypto/cipher/common_test.go
@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-package cipher
+package cipher_test
 
 // Common values for tests.
 
diff --git a/src/pkg/crypto/cipher/ctr_aes_test.go b/src/pkg/crypto/cipher/ctr_aes_test.go
index 8dca9968c4..d019ae0d02 100644
--- a/src/pkg/crypto/cipher/ctr_aes_test.go
+++ b/src/pkg/crypto/cipher/ctr_aes_test.go
@@ -8,11 +8,12 @@
 // Special Publication 800-38A, ``Recommendation for Block Cipher
 // Modes of Operation,'' 2001 Edition, pp. 55-58.
 
-package cipher
+package cipher_test
 
 import (
 	"bytes"
 	"crypto/aes"
+	"crypto/cipher"
 	"testing"
 )
 
@@ -76,7 +77,7 @@ func TestCTR_AES(t *testing.T) {
 
 		for j := 0; j <= 5; j += 5 {
 			in := tt.in[0 : len(tt.in)-j]
-			ctr := NewCTR(c, tt.iv)
+			ctr := cipher.NewCTR(c, tt.iv)
 			encrypted := make([]byte, len(in))
 			ctr.XORKeyStream(encrypted, in)
 			if out := tt.out[0:len(in)]; !bytes.Equal(out, encrypted) {
@@ -86,7 +87,7 @@ func TestCTR_AES(t *testing.T) {
 
 		for j := 0; j <= 7; j += 7 {
 			in := tt.out[0 : len(tt.out)-j]
-			ctr := NewCTR(c, tt.iv)
+			ctr := cipher.NewCTR(c, tt.iv)
 			plain := make([]byte, len(in))
 			ctr.XORKeyStream(plain, in)
 			if out := tt.in[0:len(in)]; !bytes.Equal(out, plain) {
diff --git a/src/pkg/crypto/cipher/ofb_test.go b/src/pkg/crypto/cipher/ofb_test.go
index 9b4495c883..8d3c5d3a38 100644
--- a/src/pkg/crypto/cipher/ofb_test.go
+++ b/src/pkg/crypto/cipher/ofb_test.go
@@ -8,11 +8,12 @@
 // Special Publication 800-38A, ``Recommendation for Block Cipher
 // Modes of Operation,'' 2001 Edition, pp. 52-55.
 
-package cipher
+package cipher_test
 
 import (
 	"bytes"
 	"crypto/aes"
+	"crypto/cipher"
 	"testing"
 )
 
@@ -76,7 +77,7 @@ func TestOFB(t *testing.T) {
 
 		for j := 0; j <= 5; j += 5 {
 			plaintext := tt.in[0 : len(tt.in)-j]
-			ofb := NewOFB(c, tt.iv)
+			ofb := cipher.NewOFB(c, tt.iv)
 			ciphertext := make([]byte, len(plaintext))
 			ofb.XORKeyStream(ciphertext, plaintext)
 			if !bytes.Equal(ciphertext, tt.out[:len(plaintext)]) {
@@ -86,7 +87,7 @@ func TestOFB(t *testing.T) {
 
 		for j := 0; j <= 5; j += 5 {
 			ciphertext := tt.out[0 : len(tt.in)-j]
-			ofb := NewOFB(c, tt.iv)
+			ofb := cipher.NewOFB(c, tt.iv)
 			plaintext := make([]byte, len(ciphertext))
 			ofb.XORKeyStream(plaintext, ciphertext)
 			if !bytes.Equal(plaintext, tt.in[:len(ciphertext)]) {
diff --git a/src/pkg/crypto/des/block.go b/src/pkg/crypto/des/block.go
index e18eaedf58..c11c62cd72 100644
--- a/src/pkg/crypto/des/block.go
+++ b/src/pkg/crypto/des/block.go
@@ -79,7 +79,7 @@ func ksRotate(in uint32) (out []uint32) {
 }
 
 // creates 16 56-bit subkeys from the original key
-func (c *Cipher) generateSubkeys(keyBytes []byte) {
+func (c *desCipher) generateSubkeys(keyBytes []byte) {
 	// apply PC1 permutation to key
 	key := binary.BigEndian.Uint64(keyBytes)
 	permutedKey := permuteBlock(key, permutedChoice1[:])
diff --git a/src/pkg/crypto/des/cipher.go b/src/pkg/crypto/des/cipher.go
index 1c41e29a8b..2f929ca7be 100644
--- a/src/pkg/crypto/des/cipher.go
+++ b/src/pkg/crypto/des/cipher.go
@@ -4,7 +4,10 @@
 
 package des
 
-import "strconv"
+import (
+	"crypto/cipher"
+	"strconv"
+)
 
 // The DES block size in bytes.
 const BlockSize = 8
@@ -15,86 +18,56 @@ func (k KeySizeError) Error() string {
 	return "crypto/des: invalid key size " + strconv.Itoa(int(k))
 }
 
-// Cipher is an instance of DES encryption.
-type Cipher struct {
+// desCipher is an instance of DES encryption.
+type desCipher struct {
 	subkeys [16]uint64
 }
 
-// NewCipher creates and returns a new Cipher.
-func NewCipher(key []byte) (*Cipher, error) {
+// NewCipher creates and returns a new cipher.Block.
+func NewCipher(key []byte) (cipher.Block, error) {
 	if len(key) != 8 {
 		return nil, KeySizeError(len(key))
 	}
 
-	c := new(Cipher)
+	c := new(desCipher)
 	c.generateSubkeys(key)
 	return c, nil
 }
 
-// BlockSize returns the DES block size, 8 bytes.
-func (c *Cipher) BlockSize() int { return BlockSize }
+func (c *desCipher) BlockSize() int { return BlockSize }
 
-// Encrypt encrypts the 8-byte buffer src and stores the result in dst.
-// Note that for amounts of data larger than a block,
-// it is not safe to just call Encrypt on successive blocks;
-// instead, use an encryption mode like CBC (see crypto/cipher/cbc.go).
-func (c *Cipher) Encrypt(dst, src []byte) { encryptBlock(c.subkeys[:], dst, src) }
+func (c *desCipher) Encrypt(dst, src []byte) { encryptBlock(c.subkeys[:], dst, src) }
 
-// Decrypt decrypts the 8-byte buffer src and stores the result in dst.
-func (c *Cipher) Decrypt(dst, src []byte) { decryptBlock(c.subkeys[:], dst, src) }
+func (c *desCipher) Decrypt(dst, src []byte) { decryptBlock(c.subkeys[:], dst, src) }
 
-// Reset zeros the key data, so that it will no longer
-// appear in the process's memory.
-func (c *Cipher) Reset() {
-	for i := 0; i < len(c.subkeys); i++ {
-		c.subkeys[i] = 0
-	}
-}
-
-// A TripleDESCipher is an instance of TripleDES encryption.
-type TripleDESCipher struct {
-	cipher1, cipher2, cipher3 Cipher
+// A tripleDESCipher is an instance of TripleDES encryption.
+type tripleDESCipher struct {
+	cipher1, cipher2, cipher3 desCipher
 }
 
-// NewCipher creates and returns a new Cipher.
-func NewTripleDESCipher(key []byte) (*TripleDESCipher, error) {
+// NewTripleDESCipher creates and returns a new cipher.Block.
+func NewTripleDESCipher(key []byte) (cipher.Block, error) {
 	if len(key) != 24 {
 		return nil, KeySizeError(len(key))
 	}
 
-	c := new(TripleDESCipher)
+	c := new(tripleDESCipher)
 	c.cipher1.generateSubkeys(key[:8])
 	c.cipher2.generateSubkeys(key[8:16])
 	c.cipher3.generateSubkeys(key[16:])
 	return c, nil
 }
 
-// BlockSize returns the TripleDES block size, 8 bytes.
-// It is necessary to satisfy the Block interface in the
-// package "crypto/cipher".
-func (c *TripleDESCipher) BlockSize() int { return BlockSize }
+func (c *tripleDESCipher) BlockSize() int { return BlockSize }
 
-// Encrypts the 8-byte buffer src and stores the result in dst.
-// Note that for amounts of data larger than a block,
-// it is not safe to just call Encrypt on successive blocks;
-// instead, use an encryption mode like CBC (see crypto/cipher/cbc.go).
-func (c *TripleDESCipher) Encrypt(dst, src []byte) {
+func (c *tripleDESCipher) Encrypt(dst, src []byte) {
 	c.cipher1.Encrypt(dst, src)
 	c.cipher2.Decrypt(dst, dst)
 	c.cipher3.Encrypt(dst, dst)
 }
 
-// Decrypts the 8-byte buffer src and stores the result in dst.
-func (c *TripleDESCipher) Decrypt(dst, src []byte) {
+func (c *tripleDESCipher) Decrypt(dst, src []byte) {
 	c.cipher3.Decrypt(dst, src)
 	c.cipher2.Encrypt(dst, dst)
 	c.cipher1.Decrypt(dst, dst)
 }
-
-// Reset zeros the key data, so that it will no longer
-// appear in the process's memory.
-func (c *TripleDESCipher) Reset() {
-	c.cipher1.Reset()
-	c.cipher2.Reset()
-	c.cipher3.Reset()
-}
diff --git a/src/pkg/crypto/des/des_test.go b/src/pkg/crypto/des/des_test.go
index d1f3aa71ac..e9fc236299 100644
--- a/src/pkg/crypto/des/des_test.go
+++ b/src/pkg/crypto/des/des_test.go
@@ -1260,11 +1260,19 @@ var tableA4Tests = []CryptTest{
 		[]byte{0x63, 0xfa, 0xc0, 0xd0, 0x34, 0xd9, 0xf7, 0x93}},
 }
 
+func newCipher(key []byte) *desCipher {
+	c, err := NewCipher(key)
+	if err != nil {
+		panic("NewCipher failed: " + err.Error())
+	}
+	return c.(*desCipher)
+}
+
 // Use the known weak keys to test DES implementation
 func TestWeakKeys(t *testing.T) {
 	for i, tt := range weakKeyTests {
 		var encrypt = func(in []byte) (out []byte) {
-			c, _ := NewCipher(tt.key)
+			c := newCipher(tt.key)
 			out = make([]byte, len(in))
 			encryptBlock(c.subkeys[:], out, in)
 			return
@@ -1285,7 +1293,7 @@ func TestWeakKeys(t *testing.T) {
 func TestSemiWeakKeyPairs(t *testing.T) {
 	for i, tt := range semiWeakKeyTests {
 		var encrypt = func(key, in []byte) (out []byte) {
-			c, _ := NewCipher(key)
+			c := newCipher(key)
 			out = make([]byte, len(in))
 			encryptBlock(c.subkeys[:], out, in)
 			return
@@ -1305,7 +1313,7 @@ func TestSemiWeakKeyPairs(t *testing.T) {
 
 func TestDESEncryptBlock(t *testing.T) {
 	for i, tt := range encryptDESTests {
-		c, _ := NewCipher(tt.key)
+		c := newCipher(tt.key)
 		out := make([]byte, len(tt.in))
 		encryptBlock(c.subkeys[:], out, tt.in)
 
@@ -1317,7 +1325,7 @@ func TestDESEncryptBlock(t *testing.T) {
 
 func TestDESDecryptBlock(t *testing.T) {
 	for i, tt := range encryptDESTests {
-		c, _ := NewCipher(tt.key)
+		c := newCipher(tt.key)
 		plain := make([]byte, len(tt.in))
 		decryptBlock(c.subkeys[:], plain, tt.out)
 
diff --git a/src/pkg/crypto/dsa/dsa.go b/src/pkg/crypto/dsa/dsa.go
index 81487f68f4..f7c4783179 100644
--- a/src/pkg/crypto/dsa/dsa.go
+++ b/src/pkg/crypto/dsa/dsa.go
@@ -29,17 +29,11 @@ type PrivateKey struct {
 	X *big.Int
 }
 
-type invalidPublicKeyError int
-
-func (invalidPublicKeyError) Error() string {
-	return "crypto/dsa: invalid public key"
-}
-
 // ErrInvalidPublicKey results when a public key is not usable by this code.
 // FIPS is quite strict about the format of DSA keys, but other code may be
 // less so. Thus, when using keys which may have been generated by other code,
 // this error must be handled.
-var ErrInvalidPublicKey error = invalidPublicKeyError(0)
+var ErrInvalidPublicKey = errors.New("crypto/dsa: invalid public key")
 
 // ParameterSizes is a enumeration of the acceptable bit lengths of the primes
 // in a set of DSA parameters. See FIPS 186-3, section 4.2.
diff --git a/src/pkg/crypto/rand/rand_unix.go b/src/pkg/crypto/rand/rand_unix.go
index 5d4fc8198a..5eb4cda2b3 100644
--- a/src/pkg/crypto/rand/rand_unix.go
+++ b/src/pkg/crypto/rand/rand_unix.go
@@ -12,6 +12,7 @@ package rand
 import (
 	"bufio"
 	"crypto/aes"
+	"crypto/cipher"
 	"io"
 	"os"
 	"sync"
@@ -66,7 +67,7 @@ func newReader(entropy io.Reader) io.Reader {
 type reader struct {
 	mu                   sync.Mutex
 	budget               int // number of bytes that can be generated
-	cipher               *aes.Cipher
+	cipher               cipher.Block
 	entropy              io.Reader
 	time, seed, dst, key [aes.BlockSize]byte
 }
diff --git a/src/pkg/crypto/rsa/pkcs1v15.go b/src/pkg/crypto/rsa/pkcs1v15.go
index 4f12cbea5c..254f4a3da0 100644
--- a/src/pkg/crypto/rsa/pkcs1v15.go
+++ b/src/pkg/crypto/rsa/pkcs1v15.go
@@ -21,7 +21,7 @@ import (
 func EncryptPKCS1v15(rand io.Reader, pub *PublicKey, msg []byte) (out []byte, err error) {
 	k := (pub.N.BitLen() + 7) / 8
 	if len(msg) > k-11 {
-		err = MessageTooLongError{}
+		err = ErrMessageTooLong
 		return
 	}
 
@@ -47,7 +47,7 @@ func EncryptPKCS1v15(rand io.Reader, pub *PublicKey, msg []byte) (out []byte, er
 func DecryptPKCS1v15(rand io.Reader, priv *PrivateKey, ciphertext []byte) (out []byte, err error) {
 	valid, out, err := decryptPKCS1v15(rand, priv, ciphertext)
 	if err == nil && valid == 0 {
-		err = DecryptionError{}
+		err = ErrDecryption
 	}
 
 	return
@@ -69,7 +69,7 @@ func DecryptPKCS1v15(rand io.Reader, priv *PrivateKey, ciphertext []byte) (out [
 func DecryptPKCS1v15SessionKey(rand io.Reader, priv *PrivateKey, ciphertext []byte, key []byte) (err error) {
 	k := (priv.N.BitLen() + 7) / 8
 	if k-(len(key)+3+8) < 0 {
-		err = DecryptionError{}
+		err = ErrDecryption
 		return
 	}
 
@@ -86,7 +86,7 @@ func DecryptPKCS1v15SessionKey(rand io.Reader, priv *PrivateKey, ciphertext []by
 func decryptPKCS1v15(rand io.Reader, priv *PrivateKey, ciphertext []byte) (valid int, msg []byte, err error) {
 	k := (priv.N.BitLen() + 7) / 8
 	if k < 11 {
-		err = DecryptionError{}
+		err = ErrDecryption
 		return
 	}
 
@@ -170,7 +170,7 @@ func SignPKCS1v15(rand io.Reader, priv *PrivateKey, hash crypto.Hash, hashed []b
 	tLen := len(prefix) + hashLen
 	k := (priv.N.BitLen() + 7) / 8
 	if k < tLen+11 {
-		return nil, MessageTooLongError{}
+		return nil, ErrMessageTooLong
 	}
 
 	// EM = 0x00 || 0x01 || PS || 0x00 || T
@@ -203,7 +203,7 @@ func VerifyPKCS1v15(pub *PublicKey, hash crypto.Hash, hashed []byte, sig []byte)
 	tLen := len(prefix) + hashLen
 	k := (pub.N.BitLen() + 7) / 8
 	if k < tLen+11 {
-		err = VerificationError{}
+		err = ErrVerification
 		return
 	}
 
@@ -223,7 +223,7 @@ func VerifyPKCS1v15(pub *PublicKey, hash crypto.Hash, hashed []byte, sig []byte)
 	}
 
 	if ok != 1 {
-		return VerificationError{}
+		return ErrVerification
 	}
 
 	return nil
diff --git a/src/pkg/crypto/rsa/rsa.go b/src/pkg/crypto/rsa/rsa.go
index 677d27be5d..ec77e68696 100644
--- a/src/pkg/crypto/rsa/rsa.go
+++ b/src/pkg/crypto/rsa/rsa.go
@@ -206,13 +206,9 @@ func mgf1XOR(out []byte, hash hash.Hash, seed []byte) {
 	}
 }
 
-// MessageTooLongError is returned when attempting to encrypt a message which
-// is too large for the size of the public key.
-type MessageTooLongError struct{}
-
-func (MessageTooLongError) Error() string {
-	return "message too long for RSA public key size"
-}
+// ErrMessageTooLong is returned when attempting to encrypt a message which is
+// too large for the size of the public key.
+var ErrMessageTooLong = errors.New("crypto/rsa: message too long for RSA public key size")
 
 func encrypt(c *big.Int, pub *PublicKey, m *big.Int) *big.Int {
 	e := big.NewInt(int64(pub.E))
@@ -227,7 +223,7 @@ func EncryptOAEP(hash hash.Hash, random io.Reader, pub *PublicKey, msg []byte, l
 	hash.Reset()
 	k := (pub.N.BitLen() + 7) / 8
 	if len(msg) > k-2*hash.Size()-2 {
-		err = MessageTooLongError{}
+		err = ErrMessageTooLong
 		return
 	}
 
@@ -266,17 +262,13 @@ func EncryptOAEP(hash hash.Hash, random io.Reader, pub *PublicKey, msg []byte, l
 	return
 }
 
-// A DecryptionError represents a failure to decrypt a message.
+// ErrDecryption represents a failure to decrypt a message.
 // It is deliberately vague to avoid adaptive attacks.
-type DecryptionError struct{}
+var ErrDecryption = errors.New("crypto/rsa: decryption error")
 
-func (DecryptionError) Error() string { return "RSA decryption error" }
-
-// A VerificationError represents a failure to verify a signature.
+// ErrVerification represents a failure to verify a signature.
 // It is deliberately vague to avoid adaptive attacks.
-type VerificationError struct{}
-
-func (VerificationError) Error() string { return "RSA verification error" }
+var ErrVerification = errors.New("crypto/rsa: verification error")
 
 // modInverse returns ia, the inverse of a in the multiplicative group of prime
 // order n. It requires that a be a member of the group (i.e. less than n).
@@ -338,7 +330,7 @@ func (priv *PrivateKey) Precompute() {
 func decrypt(random io.Reader, priv *PrivateKey, c *big.Int) (m *big.Int, err error) {
 	// TODO(agl): can we get away with reusing blinds?
 	if c.Cmp(priv.N) > 0 {
-		err = DecryptionError{}
+		err = ErrDecryption
 		return
 	}
 
@@ -417,7 +409,7 @@ func DecryptOAEP(hash hash.Hash, random io.Reader, priv *PrivateKey, ciphertext
 	k := (priv.N.BitLen() + 7) / 8
 	if len(ciphertext) > k ||
 		k < hash.Size()*2+2 {
-		err = DecryptionError{}
+		err = ErrDecryption
 		return
 	}
 
@@ -473,7 +465,7 @@ func DecryptOAEP(hash hash.Hash, random io.Reader, priv *PrivateKey, ciphertext
 	}
 
 	if firstByteIsZero&lHash2Good&^invalid&^lookingForIndex != 1 {
-		err = DecryptionError{}
+		err = ErrDecryption
 		return
 	}
 
diff --git a/src/pkg/crypto/tls/conn.go b/src/pkg/crypto/tls/conn.go
index e6cee1278c..2a5115dc6a 100644
--- a/src/pkg/crypto/tls/conn.go
+++ b/src/pkg/crypto/tls/conn.go
@@ -87,9 +87,9 @@ func (c *Conn) RemoteAddr() net.Addr {
 	return c.conn.RemoteAddr()
 }
 
-// SetDeadline sets the read deadline associated with the connection.
-// There is no write deadline.
-// A zero value for t means Read will not time out.
+// SetDeadline sets the read and write deadlines associated with the connection.
+// A zero value for t means Read and Write will not time out.
+// After a Write has timed out, the TLS state is corrupt and all future writes will return the same error.
 func (c *Conn) SetDeadline(t time.Time) error {
 	return c.conn.SetDeadline(t)
 }
@@ -100,10 +100,11 @@ func (c *Conn) SetReadDeadline(t time.Time) error {
 	return c.conn.SetReadDeadline(t)
 }
 
-// SetWriteDeadline exists to satisfy the net.Conn interface
-// but is not implemented by TLS.  It always returns an error.
+// SetWriteDeadline sets the write deadline on the underlying conneciton.
+// A zero value for t means Write will not time out.
+// After a Write has timed out, the TLS state is corrupt and all future writes will return the same error.
 func (c *Conn) SetWriteDeadline(t time.Time) error {
-	return errors.New("TLS does not support SetWriteDeadline")
+	return c.conn.SetWriteDeadline(t)
 }
 
 // A halfConn represents one direction of the record layer
@@ -726,9 +727,13 @@ func (c *Conn) readHandshake() (interface{}, error) {
 }
 
 // Write writes data to the connection.
-func (c *Conn) Write(b []byte) (n int, err error) {
-	if err = c.Handshake(); err != nil {
-		return
+func (c *Conn) Write(b []byte) (int, error) {
+	if c.err != nil {
+		return 0, c.err
+	}
+
+	if c.err = c.Handshake(); c.err != nil {
+		return 0, c.err
 	}
 
 	c.out.Lock()
@@ -737,10 +742,10 @@ func (c *Conn) Write(b []byte) (n int, err error) {
 	if !c.handshakeComplete {
 		return 0, alertInternalError
 	}
-	if c.err != nil {
-		return 0, c.err
-	}
-	return c.writeRecord(recordTypeApplicationData, b)
+
+	var n int
+	n, c.err = c.writeRecord(recordTypeApplicationData, b)
+	return n, c.err
 }
 
 // Read can be made to time out and return a net.Error with Timeout() == true
diff --git a/src/pkg/crypto/x509/x509.go b/src/pkg/crypto/x509/x509.go
index 7b45ba51f4..212662e21b 100644
--- a/src/pkg/crypto/x509/x509.go
+++ b/src/pkg/crypto/x509/x509.go
@@ -327,13 +327,9 @@ type Certificate struct {
 	PolicyIdentifiers []asn1.ObjectIdentifier
 }
 
-// UnsupportedAlgorithmError results from attempting to perform an operation
-// that involves algorithms that are not currently implemented.
-type UnsupportedAlgorithmError struct{}
-
-func (UnsupportedAlgorithmError) Error() string {
-	return "cannot verify signature: algorithm unimplemented"
-}
+// ErrUnsupportedAlgorithm results from attempting to perform an operation that
+// involves algorithms that are not currently implemented.
+var ErrUnsupportedAlgorithm = errors.New("crypto/x509: cannot verify signature: algorithm unimplemented")
 
 // ConstraintViolationError results when a requested usage is not permitted by
 // a certificate. For example: checking a signature when the public key isn't a
@@ -341,7 +337,7 @@ func (UnsupportedAlgorithmError) Error() string {
 type ConstraintViolationError struct{}
 
 func (ConstraintViolationError) Error() string {
-	return "invalid signature: parent certificate cannot sign this kind of certificate"
+	return "crypto/x509: invalid signature: parent certificate cannot sign this kind of certificate"
 }
 
 func (c *Certificate) Equal(other *Certificate) bool {
@@ -366,7 +362,7 @@ func (c *Certificate) CheckSignatureFrom(parent *Certificate) (err error) {
 	}
 
 	if parent.PublicKeyAlgorithm == UnknownPublicKeyAlgorithm {
-		return UnsupportedAlgorithmError{}
+		return ErrUnsupportedAlgorithm
 	}
 
 	// TODO(agl): don't ignore the path length constraint.
@@ -389,12 +385,12 @@ func (c *Certificate) CheckSignature(algo SignatureAlgorithm, signed, signature
 	case SHA512WithRSA:
 		hashType = crypto.SHA512
 	default:
-		return UnsupportedAlgorithmError{}
+		return ErrUnsupportedAlgorithm
 	}
 
 	h := hashType.New()
 	if h == nil {
-		return UnsupportedAlgorithmError{}
+		return ErrUnsupportedAlgorithm
 	}
 
 	h.Write(signed)
@@ -416,7 +412,7 @@ func (c *Certificate) CheckSignature(algo SignatureAlgorithm, signed, signature
 		}
 		return
 	}
-	return UnsupportedAlgorithmError{}
+	return ErrUnsupportedAlgorithm
 }
 
 // CheckCRLSignature checks that the signature in crl is from c.